Learn the most scalable and efficient way to provide role-based access across 100+ AWS accounts using an external identity provider, a key topic for the AWS Certified Security – Specialty exam.
Table of Contents
Question
A company uses AWS Organizations. The company has more than 100 AWS accounts and will increase the number of accounts. The company also uses an external corporate identity provider (IdP).
The company needs to provide users with role-based access to the accounts. The solution must maximize scalability and operational efficiency.
Which solution will meet these requirements?
A. In each account, create a set of dedicated IAM users. Ensure that all users assume these IAM users through federation with the existing IdP.
B. Deploy an IAM role in a central identity account. Allow users to assume the role through federation with the existing IdP. In each account, deploy a set of IAM roles that match the desired access patterns. Include a trust policy that allows access from the central identity account. Edit the permissions policy for the role in each account to match user access requirements.
C. Enable AWS IAM Identity Center. Integrate IAM Identity Center with the company’s existing IdP. Create permission sets that match the desired access patterns. Assign permissions to match user access requirements.
D. In each account, deploy a set of IAM roles that match the desired access patterns. Create a trust policy with the existing IdP. Update each role’s permissions policy to use SAML-based IAM condition keys that are based on user access requirements.
Answer
C. Enable AWS IAM Identity Center. Integrate IAM Identity Center with the company’s existing IdP. Create permission sets that match the desired access patterns. Assign permissions to match user access requirements.
Explanation
Here’s why this is the best approach:
- Scalability: IAM Identity Center allows you to manage access permissions centrally across all AWS accounts in your organization. This eliminates the need to create and manage individual IAM roles or users in each account, greatly simplifying management at scale.
- Integration with External IdP: IAM Identity Center seamlessly integrates with external identity providers like Azure AD, making it easy to leverage your existing user directory. This avoids duplication and ensures consistent access control.
- Permission Sets: IAM Identity Center uses permission sets to define the level of access users have to AWS resources. These permission sets can be reused across accounts, making it easy to enforce consistent permissions as you add more accounts.
- Granular Access Control: By assigning permission sets to users or groups from your IdP, you can precisely control who has access to which resources in each account. Permissions can be customized to match the exact requirements of each user’s role.
The other options are less suitable because:
- Option A requires manually creating dedicated IAM users in each account, which doesn’t scale well and is operationally inefficient.
- Option B improves on A by using IAM roles instead of users, but still requires deploying and managing roles individually in each account.
- Option D uses IAM roles with SAML-based conditions, but lacks the central management and permission set features of IAM Identity Center.
Therefore, enabling IAM Identity Center and integrating it with your IdP provides the most scalable, efficient, and secure solution for managing role-based access across a large and growing number of AWS accounts.
Amazon AWS Certified Security – Specialty SCS-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty SCS-C02 exam and earn Amazon AWS Certified Security – Specialty SCS-C02 certification.